Privileged accounts are found in virtually every application, database and infrastructure device throughout the enterprise and provide access to every critical IT process within your organization. The accounts are normally shared credentials that are not easily associated with an individual on the network. They are normally named after the service they are providing to clearly represent the role they serve in providing IT services, i.e. "admin" or "root." The risks associated with these accounts can also mirror your growth unless great care is taken with controlled use and availability.
Privileged passwords can provide a layer of security to company data by enforcing a password challenge upon access. However, the protection these accounts provide stops here. The reliance on one layer of security is so great in protecting the underlying data, the risks they present are in direct correlation to the controls that are in place to manage passwords and track access attempts., securing the accounts properly become a time intensive manual process.
Even though there are many products and services in the market that provide efficient ways to manage these accounts, I am a firm believer in understanding the manual ways of delivering a solution before embarking on automation, both from an education/awareness standpoint and product selection. Here are the ways I recommend to determine your current password liability and to regain control:
- Create an inventory
Investigate where privileged accounts are used and what services are dependent on them. This becomes complicated once you peel back the cover on hard coded accounts in source code, Internet services and service accounts used for desktops and mobile devices. At an early stage, begin to enforce the inventory collection in your change control process. The problem is exponential so early tracking can save money and time later. For example: 300 Oracle databases, each with30 predefined accounts equals 9,000 shared privileged accounts.
- Renew policy and standards
Review or create policies and standards associated with your account use and passwords, including privileged accounts. Reserve privileged account use as much as possible and assign like privileges to individual identities to shore up accountability. Escrow primary administrative or embedded account passwords and use "break glass in case of emergency" rule.
- Build a cost benefit analysis
Calculate the costs associated with managing the privileged accounts using the inventory created above. The benefits will include administrative cost reductions, a greater security posture and improved compliance with state and federal regulations.
- Determine approach
Adopt an approach to begin establishing the necessary controls to manage the risk appropriately. This shouldn't matter if you're electing a manual or automated method. Stage the identified projects to determine the likely impact to production services and resource requirements. If you are adopting an automated or centralized product, be aware of virtual environments and the shift in risk associated with centralizing the activity.
- Audit compliance
Ensure the selected approach, at each stage of implementation, has a way to determine if the process is in control. Auditing account histories and monitoring access on identified privileged accounts will provide a baseline to gauge your financial organization's effectiveness.
It is no longer a question of if the issue of privileged accounts will cross the IT or security doorstep, only when. If you are prepared with an inventory of your password liabilities, a solid policy for managing privileged accounts, and a reasonable plan for implementing a management system, you should be able to sleep a little better at night.
About the author:
Rick Lawhorn, CISSP, CISA, has over 17 years of experience in information technology which includes an extensive security, compliance, privacy and legal background. He is the chief information security officer (CISO) at PlanIT Technology Group and previously was CISO for GE Financial Assurance and Genworth Financial. He has been published in numerous international and domestic security magazines and currently serves on several advisory boards for new, innovative security products. He can be reached at firstname.lastname@example.org.
This was first published in August 2008